The group of security companies headed by two of the country’s technology and cyber veterans, CyberCX, have floated the idea of government assistance to help startups comply with the requirements under Australia’s Consumer Data Right (CDR).
In a submission [PDF] to the Select Committee on Financial Technology and Regulatory Technology and its probe into the opportunities the two vectors present to Australia, CyberCX said it appreciates the financial challenges faced by new entrants into the industry, but said instead of resorting to “screen scraping” or rule dilution, it would be preferable if government assisted smaller organisations to meet the highest level of compliance instead.
The now-delayed CDR, through the Treasury Laws Amendment (Consumer Data Right) Bill, allows individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, in addition to gaining the right to control who can have it and who can use it.
The first sector that will have the CDR applied is banking, with telecommunications and energy soon to follow.
Under open banking, it is proposed that highly valuable consumer data be transferable via API and that multiple parties will be able to receive and store data.
Read more: Rules drafted on how to access data under Consumer Data Right
“CyberCX is pleased to see the ACCC has developed extensive prospective rules around data transference, handling, and storage requirements. We believe these rules … will ensure consumer data is sufficiently protected,” the submission said.
“It was therefore concerning to read in the committee’s Issues Paper that some small and startup financial organisations believe the costs associated with meeting the ACCC rules will be a hinderance to their participation.”
Pointing to commentary from FinTech Australia, CyberCX said compliance costs of meeting the ACCC rules would average AU$50,000-AU$100,000 annually.
“FinTech Australia goes on to suggest that compliance with the ACCC’s CDR rules should be easier and cheaper than ‘screen scraping’,” CyberCX continued. “There seems to be an indication that some small or start-up financial organisations would opt-out of Open Banking in favour of continuing to engage in ‘screen scraping’ unless the costs associated with meeting the ACCC rules are reduced.
“CyberCX believes that ‘screen scraping’ of this nature is not best practice when it comes to information security or privacy protection.”
The organisation said in the event of passwords being leaked, individuals risk having other online accounts compromised, given there are many duplicate passwords and log in credentials.
“At a time when we should be seeking to instil in individuals a greater awareness of the importance of online security, encouraging people to reveal their passwords is precisely the wrong message,” the submission said. “Our concern is that ‘screen scraping’ legitimises and gets consumers used to handing over their passwords to 3rd parties.”
Instead, CyberCX believes it’s appropriate that open banking participants meet the highest information security and privacy protection rules.
On the suggestion that the ACCC creates more than one level of accreditation, CyberCX said it “would not wish to see a less onerous version of the ACCC rules in order to accommodate small or startup financial organisations”.
“Were some financial organisations able to achieve accreditation through less rigorous rules, it would create an incentive for attackers to target those organisations,” it said.
The government assistance, CyberCX said, could be accomplished through the establishment of either a loan or voucher scheme.
“Loans could be offered to qualifying small and startup financial organisations in order to invest in strengthening their cybersecurity postures and meeting the ACCC rules,” CyberCX wrote.
“These could be repaid once the organisation passes a specified revenue threshold. Alternatively, a voucher scheme could be established where government covers part of the costs of achieving a stronger cybersecurity posture.”
CyberCX, backed by private equity firm BGH Capital, brings together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre (ACSC) and once Special Adviser on Cyber Security to former Prime Minister Malcolm Turnbull, as well as John Paitaridis, who was formerly Optus Business’ managing director.